Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ef3c3bc144...dd.exe

windows7-x64

7

ef3c3bc144...dd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22/04/2024, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe

  • Size

    393KB

  • MD5

    b8464e043c9ba29f5b70fdaadf00922b

  • SHA1

    828d5c2072b34fd1b9a5988a303f354474d6fc1c

  • SHA256

    ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd

  • SHA512

    1b0ae871b17fee5381a047eefbdac50437a57fda1de6ada6e76c8fe13ce316f2a77a61c5d3e40e99af8616afa5534f31ebd5b2341e1e30fdcfda944fc5dd279f

  • SSDEEP

    6144:D+a0P2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moHXG:D+aZahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe
        "C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3032
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1BDA.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe
              "C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe"
              4⤵
              • Executes dropped EXE
              PID:1108
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2676
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2716
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2436
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2564

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            f1ff0cfb99f6b0bf2a9e1de01f1ec6c2

            SHA1

            487ec0860993efcb76858a15e85372df2987750d

            SHA256

            bb358cb0d1d27f1977fc528b2706cc7dacebb059c6f13a894cf390aeeb2f72e0

            SHA512

            4eb05b18d762707e7c7632dd7c9b1858d9498c36998d23fd2b71ee37a5f09d8641db6397aae98d9c55aa4a5ed03189fdfbae2b50095ae5ccd88f75c361d739b4

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            477KB

            MD5

            c6c3f9890c41439a4dfc9fd4bec7b0bd

            SHA1

            f5c4a05f34d1a08abf73514f5b3ddcedc704f2f0

            SHA256

            462f333d5748c1a756e2565a2d76f89c9fdafb8d2fa62a83c60e4f70d0da2f92

            SHA512

            69212e26a76e5e67e2b1337bfd97ad766293d6c0093ce0d8ef5fa768cd002094d9de936620a479bb474e27ff359b08d751ccfe37b9a15824f39b548596a9098a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1BDA.bat
            Filesize

            722B

            MD5

            0da5594eb9b11145a0dcd6cbc450c392

            SHA1

            a24c0d5f92cfeebb4a983765c238e227139cf50d

            SHA256

            64e274eb19a98c7c5e5f1efc4353a01aaf35a5d2551462f925bf40a99e14db99

            SHA512

            4a1d3bc70d2bfe01af16660356466d912679a70eac1747bf39f7eb463d7c26f3151f656b27c2235277760d1697454377f7c247c325a012ce865a1836ca724609

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe.exe
            Filesize

            360KB

            MD5

            5fbd45261a2de3bb42f489e825a9a935

            SHA1

            ff388f6e9efe651ec62c4152c1739783e7899293

            SHA256

            9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

            SHA512

            7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            02c56be1db3c03dbaf50330e686d3c74

            SHA1

            c38374d6d8db6163f21b27fb353778f94e3cd1e9

            SHA256

            98ce89e1c74b56f7336b4cfab30d0280e56f9dbef29a8c38ac7540e22df4b5b5

            SHA512

            c4ee4590c268296541f3031b16570d9fdd3d6bd85fa3cc2c2a4f5594bfd4888eee7749d2eb3a44cafe38a9cfa777ee82b58d9d0bf5c7682c2f8d02bdbba54ef4

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            a4e284afce5c2e93b509543e6064da82

            SHA1

            77a7ae3e38b05410dcf335f8abe1df4d7f0b141c

            SHA256

            f4460d1a85b2980fa2b8d329adda0fd330f8157d7afc2d7b1bad62453ff1dfe8

            SHA512

            8f2147ca54c96b0b05bf69a7919b5bf54b20036ba8336f6ba379c2abb0d31139a91d315130040ef1d06450dd624d8a8661396eb082407b8f7455be4d61351821

            Download Submit

          • memory/1184-27-0x00000000024B0000-0x00000000024B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2204-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2204-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2204-18-0x0000000000230000-0x000000000026F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2504-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2504-31-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2504-3322-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2504-4141-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download